Photon-Number-Splitting versus Cloning Attacks in Practical Implementations of the 
Bennett-Brassard 1984 protocol for Quantum Cryptography 



in 
o 
o 

(N 

Ph. 
< 

in 



> 
(N 

oo 

o 

O 

:^ 

Oh! 

> ■ 



Armand Niederberger^ , Valerio Scarani^, Nicolas Gisin^ 
^ Section de Physique, Ecole Polytechinque Federale de Lausanne, CH-1015 Ecublens 
Group of Applied Physics, University of Geneva, 20, rue de I'Ecole-de-Medecme, CH-1211 Geneva 4, Switzerland 

(February 1, 2008) 

In practical quantum cryptography, the source sometimes produces multi-photon pulses, thus 
enabling the eavesdropper Eve to perform the powerful photon-number-splitting (PNS) attack. Re- 
cently, it was shown by Curty and Liitkenhaus [Phys. Rev. A 69, 042321 (2004)] that the PNS 
attack is not always the optimal attack when two photons are present: if errors are present in the 
correlations Alice-Bob and if Eve cannot modify Bob's detection efficiency. Eve gains a larger amount 
of information using another attack based on a 2 — > 3 cloning machine. In this work, we extend 
this analysis to all distances Alice-Bob. We identify a new incoherent 2^3 cloning attack which 
performs better than those described before. Using it, we confirm that, in the presence of errors. 
Eve's better strategy uses 2 — > 3 cloning attacks instead of the PNS. However, this improvement 
is very small for the implementations of the Bennett-Brassard 1984 (BB84) protocol. Thus, the 
existence of these new attacks is conceptually interesting but basically does not change the value of 
the security parameters of BB84. The main results are valid both for Poissonian and sub-Poissonian 
sources. 



I. INTRODUCTION 



Quantum cryptography, or more precisely quantum 
key distribution (QKD) is a physically secure method for 
the distribution of a secret key between two distant part- 
ners, AHce and Bob, that share a quantum channel and 
a classical authenticated channel [1]. Its security comes 
from the well-known fact that the measurement of an 
unknown quantum state modifies the state itself: thus 
an eavesdropper on the quantum channel, Eve, cannot 
get information on the key without introducing errors in 
the correlations between Alice and Bob. In equivalent 
terms, QKD is secure because of the no-cloning theorem 
of quantum mechanics: Eve cannot duplicate the signal 
and forward a perfect copy to Bob. 

However, perfect single-photon sources are never avail- 
able, and in most practical implementation the source is 
simply an attenuated laser. This means that some of the 
pulses travelling from Alice to Bob contain more than 
one photon. These items, in the unavoidable presence of 
losses in the quantum channel, open an important loop- 
hole for security: Eve may perform the so-called photon- 
numbcr-splitting (PNS) attack, consisting in keeping one 
photon in a quantum memory while forwarding the re- 
maining ones to Bob [2,3]. This way. Eve has kept a 
perfect copy without introducing any error. In particu- 
lar, here we consider the BB84 QKD protocol introduced 
by Bennett and Brassard in 1984 [4]. In this protocol, 
when the basis is revealed in the sifting phase Eve can 
measure each photon that she has kept in the good basis 
and obtain full information on the bit. 

Until recently, it was thought that this attack was the 
best Eve could do when two or more photons are present. 
However, in a recent work [5], Curty and Liitkenhaus 
(CL) have shown that this is not the case for noisy lines 
(optical visibility V < 1) and imperfect detectors (quan- 



tum efficiency r], dark count probability pd), when the 
natural assumption is made that Eve cannot modify the 
detectors' parameters. Basically, the idea is simple: con- 
sider pulses that contain two photons. In the PNS attack. 
Eve has full information after the basis announcement 
provided Bob has detected the photon that was sent. So, 
in the information balance, Eve's information for such 
an item is 77 x 1. Suppose now that Eve, instead of per- 
forming the PNS, uses a suitable 2 — > 3 cloning machine, 
keeps one photon and forwards the other two photons 
to Bob. Eve's information conditioned to Bob's detec- 
tion could be Ic2 < 1, but now the probability that Bob 
detects a photon of the pulse is (1 — (1 — v)'^)- Thus 
for small values of rj, Eve's information for a two-photon 
pulse becomes 2r] x Ic2, and this may be larger than rj. 
Of course, by using such a doner, Eve introduces some 
errors, so this attack is possible only up to the expected 
quantum bit error rate (QBER). 

As we prove below however, the analysis of CL is re- 
stricted to a specific distance of the line Alice-Bob, which 
turns out to be unrealistically short. The goal of this 
paper is to evaluate the contribution of the individual 
attacks that use 2 — > 3 cloning machines for all distances 
in a realistic range of parameters. When this is done, 
the contribution of attacks using 2^3 cloning machines 
leads to a negligible improvement over the usual PNS 
strategies: both the achievable secret-key rate and the 
maximal distance are for all practical purpose the same, 
whether these new attacks are used or not. This is our 
main result. In the run, we describe a new strategy that 
uses a 2 ^ 3 cloning machines, that performs better 
than those previously described. This new strategy has 
an intuitive explanation which opens the possibility of 
immediate generalizations: in particular, it may prove 
useful to study the security of other protocols, against 
which the PNS attacks are less effective [6-8]. 
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The paper is constructed as follows. In Section II, we 
state precisely our hypotheses and write down general 
formulae, in which Eve's attack is parametrized by the 
probabilities of performing each strategy, and submitted 
to some constraints. At the end of this Section, we show 
that the analysis of CL, correct though it is, is valid only 
for a given distance between Alice and Bob, whence the 
need for the present extension of their work. Section III 
contains the main results: we perform numerical opti- 
mization assuming the two known 2^3 cloning strate- 
gies and our new one, showing that ours performs indeed 
better but that its contribution is on the whole negligible. 
Section IV is devoted to some extensions and remarks. 
Finally, in Section V, we give some semi-analytical for- 
mulae that reproduce the full numerical optimization to 
a satisfactory degree of accuracy: these are useful for 
experimentalists, to find bounds for the performance of 
their setups. Section VI is a conclusion. 



Bob 's detector. It has a limited quantum efficiency rj 
and a probability of dark count per gate The gate 
here means that Bob knows when a pulse sent by Al- 
ice is supposed to arrive, and opens his detector only at 
those times; so here, "per [Bob's] gate" and "per [Al- 
ice's] pulse" are equivalent. Those two parameters are 
not uncorrclated: in reverse-biased avalanche photodi- 
odes, a larger bias voltage increases both r] and pd- Typ- 
ical values nowadays are r] = 0.1 and pa = 10~^. 



B. Alice and Bob's rates and information 

We write pb{0) the probability per pulse that Bob de- 
tects no photon sent by Alice. Since both losses in the 
line and detection are binomial processes, 



PB{0) = J2Mn){i-tvr; 



(2) 



II. HYPOTHESES AND GENERAL FORMULAE 
A. Imperfect source, line and detectors 

We are concerned with practical quantum cryptogra- 
phy, so the first point is to describe the limitations on 
Alice's and Bob's hardware. We work in a prepare-and- 
measure scheme. 

Alice's source. Alice encodes her classical bits in light 
pulses; the number of photons in each pulse is distributed 
according to a probability law pA{n). In most practical 
QKD setups, Alice's source is an attenuated laser pulse, 
so PA{n) = p{n\ii) the Poissonian distribution of mean 
photon number ji. But our general formulae and most 
of our results will be valid independently of the distri- 
bution, so in particular they apply to all quasi-single- 
photon sources [9] . For heralded single-photons obtained 
from an entangled pair [10], the situation is more com- 
plex. If the twin photon is used only as a trigger, and 
the preparation of the state is done directly on the pho- 
ton(s) travelling to Bob, then this source behaves exactly 
as a sub-Poissonian source, and our subsequent analysis 
applies. If on the contrary the twin photon is used also 
for the preparation (because one detects its polarization 
state, thus preparing at a distance the state of the photon 
travelling to Bob), then the PNS attack is not relevant 
[1,3]. 

Alice-Bob quantum channel. The quantum channel 
which connects Alice and Bob is characterized by the 
losses a, usually given in dB/km (for optical fibers at 
the telecom wavelength 1550nm, the typical value is 
a ~ 0.25dB/km). The transmission of the line at a dis- 
tance d is therefore 



t= 10-«<i/10. 



(1) 



Moreover, we take into account non-perfect visibility V 
of the interference fringes. 



for a Poissonian distribution on Alice's side, Pb{0) = 
p{0\^tr]). We consider only those cases in which Alice 
and Bob use the same basis, because in any case the other 
items will be discarded during the sifting phase. Bob's 
count rates per pulse in the "right" and the "wrong" de- 
tector are then given by [11] 
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where the factor i accounts for the losses in the sifting 
phase. The QBER is the fraction of wrong bits accepted 
by Bob, 
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(5) 



In particular, as long as (l — Pb(0)) » PBiO)Pd, one 
can neglect Cwrong in the denominator and decompose 
Q = Qopt + Qdet, with the optical QBER defined as 
Qopt = The mutual information Alice-Bob after 

sifting is 

I{A : B) = {Cright + Cwrong) [1 - H{Q)] (6) 

where H is Shannon entropy. 

C. Hypotheses on Eve's attacks 

Hypothesis 1: The characteristics of the quantum chan- 
nel (the optical QBER, or more precisely V, and the 
losses, that determine the transmission t) are fully at- 
tributed to Eve. On the contrary. Eve has no access to 
Bob's detector: rj and pa are given parameters for both 
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Bob and Eve. The eavesdropper will of course adapt her 
strategy to the value of these parameters, but she eannot 
play with them. This hypothesis is almost unanimously 
accepted as reasonable; it implies that Bob monitors the 
rate of double clicks when he happened to measure in 
the wrong basis; if this rate is larger than expected, he 
aborts the protocol. As realized by CL [5], it is precisely 
this hypothesis that opens the possibility for the cloning 
attacks to perform better than the PNS [12]. 

Hypothesis 2: Through her PNS attacks. Eve should 
not modify Bob's expected count rate due to Alice's pho- 
tons Cph = |[1 — pb(0)]. This constraint is usually as- 
sumed in the study of PNS attacks, see e.g. Refs [2,3,5-7]; 
still, two comments are needed. One could strengthen the 
constraint by requiring Eve to reproduce the full photon- 
number statistics at Bob's side. But one could as well 
weaken it: here, we are asking that Bob should not no- 
tice PNS attacks at all; Eve could be allowed to perform 
noticeable PNS attacks, in which case one should bound 
her information and study the possibility of privacy am- 
plification. 

Hypothesis 3: Eve performs incoherent attacks: she at- 
tacks each pulse individually, and measures her quantum 
systems just after the sifting phase. The justification for 
this strong hypothesis is related to the state-of-the-art of 
the research in quantum cryptography: no one has found 
yet an explicit coherent attacks that performs better than 
the incoherent ones [13]. In other words, incoherent at- 
tacks are still used to compute upper bounds for secu- 
rity, while "unconditional security" proofs provide lower 
bounds [14], and for all protocols there is an open gap 
between the two bounds. Note also that incoherent at- 
tacks are not "realistic" in the sense of those described 
e.g. in [15]; in particular. Eve is allowed to store quan- 
tum information in a quantum memory. The hypothe- 
sis of incoherent attacks implies in particular that after 
sifting, Alice, Bob and Eve share several independent re- 
alizations of a random variable distributed according to 
a classical probability law. Under this assumption and 
the assumption of one-way error correction and privacy 
amplification, the Csiszar-Korner bound applies [16]: one 
can achieve a secret-key rate given by 

S = I{A:B)- I{A : E) . (7) 

Actually, this is a conservative assumption: in the pres- 
ence of dark counts, I{B : E) < I{A : E) holds, so 
the strict bound for S is I {A : B) - I{B : E); how- 
ever, the difference is small, and I{A : E) is easier to 
estimate. We devote paragraph IV C below to comment 
about I(B : E). The mutual information I {A : B) has 
been given in (6), we should now provide an expression 
for I{A : E). 

D. Eve's strategies 

Having stated the hypotheses on Eve's attacks, we can 
now formulate Eve's strategy as a function of some pa- 



rameters. Wc suppose that the first thing Eve does, just 
outside Alice's lab, is a non-destructive measurement of 
the photon number. Sometimes, she will simply find 
n = and there is nothing more to do. When n > 0, 
she will choose some attacks with the suitable probabili- 
ties. We have attributed all the losses in the line to Eve: 
this means that Eve replaces the quantum channel with 
a lossless line, and takes advantage of the losses to keep 
in a quantum memory or simply block some photons. 

Strategy for n = 1. When Eve finds one photon, with 
some probability Pd she applies the well-known opti- 
mal incoherent attack [17], that consists in (i) applying 
the optimal asymmetric phase-covariant cloning machine 
[18], (ii) forwarding the original photon to Bob while 
keeping the clone and the ancilla in a quantum memory, 
(iii) make the suitable measurement as soon as the basis 
is revealed. This strategy contributes to Bob's detection 
rate with 

Ri = ^r]pA{l)Pci, (8) 

where the factor \r} is due to the fact that Bob must 
accept the item (detect the photon and accept at sift- 
ing). On these items. Eve introduces a disturbance Di 
and gains the information Ii{Di) = 1 — H{Pi) with 
Pi = i ^/Di{l - Dl). With probabihty pbi = l-pci, 
Eve simply blocks the photon in principle, one can 
define the probability pn that Eve leaves the photon fly 
to Bob without doing anything, but this is not useful for 
her (we left this parameter free in our numerical simula- 
tions, see Section III, and verified that one indeed finds 
always pn =0). 

Strategy for n = 2. Sometimes, Eve finds two photons. 
The standard PNS strategy is a storage attack: Eve keeps 
one photon in a quantum memory, and forwards the other 
one to Bob. Eve applies the storage attack with proba- 
bility Ps2- This strategy contributes to Bob's detection 
rate with 

-R2s = ^??pa(2)ps2 ; (9) 

on these items. Eve introduces no disturbance Di and 
gains the information Is2 = 1. As stressed in the intro- 
duction, the main theme of this work is CL's observa- 
tion that the storage attack may not always be the best 
Eve can do on two photons. With probability Pc2) she 
rather uses a 2 ^ 3 asymmetric cloning machine, keeps 
the clone and the ancillae and forwards the two original 
photons, now slightly perturbed, to Bob. This strategy 
contributes to Bob's detection rate with 

R2c = \{l-{l-llf)VA{2)Pc2\ (10) 

on these items, Eve introduces a disturbance D2 and 
gains an information I2{D2) that depends on the cloning 
machine that is used. Finally, one can in principle define 
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the probability of blocking both photons ph2] but this 
turns out to be always zero in practice (as for pn, we 
used this as a free parameter in the numerical simula- 
tions). The reason is the following. If Eve could repro- 
duce Bob's detection rate by blocking all the n = 1 items 
(in which case, she might have to block also some of the 
n = 2 items), she'd have full information. Alice will then 
choose her probabilities PA{n) in such a way that this is 
not the case: Eve must be forced to forward some items 
with n = 1. Now, Eve gains more information on the 
n = 2 than on the n = 1 items: therefore, she has better 
use all the losses to block as much n = 1 items as pos- 
sible; but then, she cannot block any n — 2 item. Thus 
Pb2 = and = 1 - Ps2- 

Strategy for n > 3. If Eve finds more than two pho- 
tons, we suppose that she performs always the storage 
attack: she keeps one photon and forwards the remain- 
ing n — 1 photons to Bob. This strategy contributes to 
Bob's detection rate with 

n>3 

on these items, Eve introduces no disturbance and gains 
full information. This is not always optimal: unambigu- 
ous discrimination strategies [6,7] or cloning attacks [5] 
may give Eve more information. However, we don't dis- 
cuss the full optimization because in any case the contri- 
bution of items where n > 2 to the total information is 
small, as will be clear below. Note also that in a stor- 
age attack Eve systematically removes one photon; at 
very short distances, this might not be possible because 
the expected losses in the line Alice-Bob are not large 
enough. To avoid any surprise, we shall start all our nu- 
merical optimization at a distance d = 10km, where the 
losses are definitely large enough to allow storage attack 
on all items with n > 3 [19]. 

Summary. We allow to perform different attacks with 
different probabilities, conditioned on the knowledge of 
the number of photons present in each pulse. Apart from 
the hypotheses made on R3, this represents the most gen- 
eral incoherent attack on the BB84 protocol — provided 
the hardware is protected against "realistic attacks" like 
Trojan horse, faked states and similar [21], as we suppose 
it to be. 



E. Formulae for Eve's attack 

We can now group everything together and describe 
the formulae that will be used for Eve's attack. Eve's 
information on Bob's bits reads [20] 

liA : E) = RihiDi) + R2s + R2MD2) + R3 (12) 

where 

h{Di) = l-H[^ + ^D,il-Dl)) (13) 



and where 12(^2) is the information gained by Eve using 
a 2 ^ 3 asymmetric cloning machine, for which the op- 
timal is not known (see next Section). For a given prob- 
ability distribution used by Alice PA{n), Eve chooses the 
four parameters pd, Pc2, Di and D2 in order to maxi- 
mize (12), submitted to the constraints that determine 
t and V. The constraint on t guarantees that the losses 
introduced by Eve must be those expected on the quan- 
tum channel, so in particular that Bob's detection rate 
is unchanged: 

Rl+R2s+R2c + R3 = l{l- PB (0)) . (14) 

Alice and Bob have to choose their source in order to 

ensure that Eve cannot set _Ri = 0, otherwise she has 
full information by simply using the PNS. This is the 
reason why the contribution of R3 is small: the lead- 
ing term is a fraction of pyi(l), typically of the order of 
Pa{2). Now, pa{3)/pa{2) = 0{ii) ~ 0.1 for the usual 
Poissonian source, and even smaller for sub-Poissonian 
ones. The constraint on V guarantees that the error rate 
introduced by Eve must sum up to the observed optical 
QBER, that is 

+ R2CD2 = ^ (1 - Pb(0)) (j-Y-) ■ (1^) 

In the next Section, we discuss a good choice of 12(02), 
then perform numerically the optimization of Eve's 
strategies over the four parameters Pd, Pc2, -Di and Z>2. 
Before this, we are now able to pinpoint the limitations 
of the analysis of CL. 

F. The limitation in CL 

In our notations, the parameter p that characterizes 
Alice's source in Ref. [5] is given by p = j^^j^, the 
conditional probability of having one photon in a non- 
empty pulse. Items with more than two photons are ne- 
glected, so in our notations R3 = and 1— p = i^pf^Q^ ■ 
This assumption is not critical a priori. What is critical, 
is the choice of Eve's attacks that are compared. The 
PNS attack i?2c = is compared to a cloning attack 
in which not only i?2s, but also Ri is set to 0. As CL 
correctly note, the comparison is fair only if the coimt- 
ing rates are the same between the two strategies, which 
reads here Rf^^ + R^J^^ = Rf°"; in turn, this condition 
determines p = 1/(2 — 77) . Now, Alice should adapt the 
parameters of her probability distribution as a function 
of the distance of the quantum channel. Thus, a given 
value of p will be optimal only for a given distance (or at 
best, for a small range of possible distances): the fact of 
setting i?i = in the cloning attack limits the validity of 
CL's analysis to a given length of the line Alice-Bob. 

In particular, if we consider that pa(") is a Poissonian 
distribution, then ^ = £gg = f ; settings = 1/(2-??) 
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leads to /i = > 2. This is a very large value of /i, that 
consequently can be used only at a very short distance. 

III. MAIN RESULTS 

The problem that we want to solve involves a dou- 
ble optimization. For any given distance, Alice should 
choose the parameters of her source (e.g. for a Poisso- 
nian source, the mean number of photons per pulse) in 
such a way as to optimize the secret key rate S, Eq. (7). 
This quantity must be computed for Eve's best strategy, 
i.e. for I{A : E) as large as possible: so, for any choice of 
Alice's parameters, we must find the values of pci, Pc2^ 
Di and D2 that maximize (12) under the constraints (14) 
and (15). For this task, numerical algorithms are the rea- 
sonable choice. But, as an input for these algorithms, we 
need the explicit form of 12(02) ■ We devote the next 
paragraph to this point. 

A. The choice of the 2^3 cloning attack 

Eve receives two photons in the state where jV') 

is one of the four states used in BB84. She has these 
photons interact with a probe of hers, then she forwards 
two photons to Bob, having introduced an average dis- 
turbance D2- By measuring her probe after the sifting 
phase. Eve gains an information 12(02) on the state pre- 
pared by Alice. Finding the optimal attacks means find- 
ing the best unitary transformation, the best probe and 
the best measurement on it, such that 12(02) is maxi- 
mal for any given value of 02- Though well-defined, this 
problem is very hard to solve in general. Let's restrict 
to attacks such that the photons flying to Bob after the 
interaction are in a symmetric state, so that the trans- 
formation reads 

\k)\E)^j2ci\k')\E'^) (16) 

where \k) is a basis of the symmetric subspace of two 
qubits. There are nine vectors \ E^),so Eve's probe must 
be at least nine-dimensional to avoid loss of generality. In 
addition, the measurement that gives Eve the best guess 
on the state sent by Alice is not known in general. In 
summary, finding the optimal 12(02) in full generality 
amounts to solving an optimization over more than hun- 
dred real parameters, for an undefined figure of merit. 
We give this up and try a different approach, namely to 
guess a good (if not the optimal) 2^3 cloning attack. 

Let's first look at what is already known. Two asym- 
metric 2^3 cloning machines were proposed in Ref. [7]; 
Curty and Liitkenhaus [5] based their analysis of 2 ^ 3 
cloning attacks on those. The first machine (doner A) 
is a universal asymmetric doner, recently proven to be 
optimal in terms of fidelity [22]. For a disturbance O2 



introduced on Bob's states, this machine gives Eve an 

information [5] 

1^(02) = 2O2 + (1 - 2O2) [I - H(P2)] (17) 

with P2 = \ (^8^2(1 -4£)2)) /(I - 2£)2)- A particu- 
larly interesting feature is that I2 (O2 = 1/6) = 1 . This 
sounds at first astonishing, because one is used to Eve's 
getting full information only by breaking all correlations 
between Alice and Bob. But this is the case only if 
Eve receives a single photon from Alice. Here Eve re- 
ceives two photons in the same state. In fact, the result 
12(02 = 1/6) = 1 is not only reasonable, but it can be 
reached by a much simpler strategy: Eve just keeps one 
of the two incoming photons (so, after sifting, she can get 
full information) and duplicates the second one using the 
optimal symmetric 1 — > 2 doner of Buzek-Hillery [23], 
which makes copies with fidelity |, whence D2 = |. 

Cloner A is good (and we conjecture it to be optimal) 
to attack two-photon pulses in the six-state protocol [24], 
because of its symmetry. However, here we are dealing 
with BB84: for the one-photon case, it is known that 
one can do better than using the universal asymmetric 
cloner. In fact, the optimal incoherent attack on single- 
photon pulses uses the phase- covariant cloning machine, 
that copies at best two maximally conjugated bases out 
of three [18]. So we suspect that also for the 2^3 
cloning attack, we should rather look for an asymmetric 
2 — > 3 phase-covariant cloner. The second cloner (cloner 
B) described in Ref. [7] is an example of such a cloner. 
However, it has some unpleasant features: one the one 
hand, in terms of fidelity it is slightly suboptimal for the 
parameter that defines symmetric cloning [25]; more im- 
portant, 12(02) < 1 for all values of O2 — we don't 
write 12(02) explicitly, because it is quite complicated 
and after all unimportant for the present work; see Ref. 

In summary, two 2^3 asymmetric cloning machines 
have been discussed in the literature, but they are sub- 
optimal for our task. Still, in the sake of comparison 
with Ref. [5], we ran our first numerical optimizations 
using 12(02), then 12(02). The result is striking: (i) 
if I2 = I2J then the optimal strategy is always obtained 
for O2 — -^j whatever the values of the other parameters; 
(ii) if l2 = I2 1 the optimal strategy is the one that uses 
no 2 ^ 3 cloning attack (pc2 = 0). Following this obser- 
vation, it is natural to emit the following conjecture: the 
2 — > 3 cloner is always used for the value of O2 that gives 

12(02) = 1 . (18) 

Under this conjecture, we can then replace 12(02) by 1 
in (12), and we have to find the lowest value of D2 for 
which (18) holds. In general, this is a task of the same 
complexity as optimizing Eve's strategy for all values of 
O2 ; but we can at least construct a very simple strategy 
which has an intuitive interpretation, and which performs 
better than the ones which use doners A and B: 
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Hypothesis 4- the strategy for the 2 — > 3 cloning at- 
tack is the following: out of two photons sent by Alice, 
Eve keeps one and sends the other one into the optimal 
symmetric I ~^ 2 phase- covariant doner. 

This provides Eve with 12(02) = 1 after sifting, and 
Bob receives two photons with a disturbance 



1 



1 



(19) 



that is ~ 0.1464 [18]. Since this disturbance is smaller 
than i, for any fixed value of V Eve can use the 2^3 
cloning attack more often than in the optimized version of 
the attack using doner A, see constraint (15). That's why 
our new attack performs better. Moreover, the attack has 
an intuitive form, that can be generalized: in particular, 
it seems natural to extend the conjecture to attacks on 
n > 2 photons, although here we don't consider this ex- 
tension because these cases are rare (see above) . In what 
follows, we comment on the explicit results that we find 
for the numerical optimization using this strategy. 




FIG. 1. Illustrating the conjecture on Eve's 2 — > 3 cloning 
strategies: the asymmetric 2^3 cloning machine A{2, 3) is 
actually used at a working point where Eve keeps a perfect 
copy and forwards two identically perturbed photons to Bob, 
produced with the symmetric 1^2 cloning machine S{1, 2). 



any value of the distance d Alice-Bob, we choose a value 
of fi and find the values of pd, Pc2 and Di that opti- 
mize Eve's information under the constraints. This gives 
a value for the secret key rate S. Then we vary /i and re- 
peat the procedure, until the highest value of S is found. 
This defines the optimal value of 

We have done these calculations for the nowadays stan- 
dard (and even conservative) values a = 0.25 dB/km, 
rj = 0.1 and pd = 10~^. Of course, the qualitative fea- 
tures are independent of these precise values. 




40 50 
distance [km] 

FIG. 2. Secret key rate per pulse S as a function of the 
distance, for a — 0.25 dB/km, = 0.1 and pd = 10~^, and 
for V = 1,0.95,0.9,0.85,0.8. The best attack (full line) uses 
Strategy C for 2 — > 3 cloning; the value of the optimal p, is 
fixed by this strategy. For comparison, we plot the results that 
one would obtain using Strategy A for 2 — > 3 cloning (dashed 
lines) and without using any 2^3 cloning (dashed-dotted 
lines), computed for the same p.. 



B. Numerical optimization for Poissonian sources 

We use numerical optimization to find, under Hypothe- 
ses 1-4, Eve's best strategy and the optimal value of Al- 
ice's parameters. We consider a Poissonian distribution 
for Alice's source, 

pj,{n) = pln\^i) = e-^^ (20) 

so that the only parameter that characterizes Alice's 
source is the mean number of photons ^ (see IV A be- 
low for extension to sub-Poissonian sources). As sketched 
above, the numerical optimization is done as follows. For 



The achievable secret key rate S, Eq. (7), is plotted 
in Fig. 2 as a function of the distance, in log scale. The 
full lines are obtained by allowing Eve to use our new 
2^3 cloning attack defined above. Supposing this at- 
tack we can extract, at any distance, an optimal value 
of //: this is the mean number of photons Alice and Bob 
should choose. For the so-computed /i, we then compute 
S by supposing two suboptimal attacks by Eve, namely 
no 2 ^ 3 cloning, and 2^3 cloning with doner A [5]. 
The results of these suboptimal attacks are plotted in 
the discontinuous lines. We see that indeed our strategy 
yields the best results for Eve (the smallest S achiev- 
able), but the difference between the optimal and the 
suboptimal attacks is very small — in fact, under the 
assumptions of practical cryptography this difference is 
completely negligible, see beginning of Section V. 
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1 0.95 0.9 0.85 0.8 0.75 0.7 



visibility 

FIG. 3. Probabilities that define Eve's optimal attack as a 
function of the visibility, for d = 30km, for the optimal /i. In 
the lower half one reads the probabilities for the attacks on 
n = 1; in the upper half, for n = 2. The white symbols rep- 
resent Di (lower half) and D2 (upper half). Note that high 
visibility (small optical errors) are on the left. See text for 
detailed comment. 




1 0.95 0.9 0.85 0.8 0.75 0.7 



visibility 

FIG. 4. The four terms that sum up to Eve's information 
(12) as a function of the visibility, for d = 30km and for 
the optimal fx. Eve's information is divided by the value of 
I{A : B) at any V . See text for detailed comments. 



Figures 3 and 4 illustrate in detail the parameters for 
Eve's optimal attack, for a fixed distance (30 km), as a 
fimction of the visibility V. In Fig. 3 arc plotted the prob- 
abilities introduced in paragraph II D that define Eve's 
strategies on the pulses with n = 1 (lower half of the fig- 
ure) and with n = 2 (upper half). Fig. 4 represents the 
four terms that sum up to Eve's information (12). Much 
information is stored in these graphics: 

• First note that at V < 0.74, that is Qopt > 13%, 
one has I{A : E) = I{A : B) so S = 0. For smaller 
values of the visibility, with our assumptions on the 
attacks and on the numerical values of the param- 
eters, the BB84 protocol becomes insecure for all n 
at 30km. This is due to the characteristics of the 
source: recall that for incoherent attacks on the 
BB84 protocol with perfect single-photon sources, 
the critical visibility is V < 0.7 {Qopt > 14.67%) 
independent of the distance [1,17]. 



• For V = 1, Eve is not allowed to introduce any 
error. Therefore, for n = I she can either block 
or forward the pulse without introducing any error 
{Di = 0), and she gains no information; for n = 2, 
she can only perform the storage attack. 

• As soon asV < 1, Eve's strategy on the one-photon 
pulses does not change, while on the two-photon 
pulses she starts using the cloning strategy. She 
uses it on as many pulses as possible, compatible 
with constraint (15). This situation goes on until 
V ~ 0.88: for that visibility, Eve can perform the 
2 — > 3 cloning attack on all the two-photon pulses. 
Then, for V < 0.88, Eve can start introducing er- 
rors (and gaining some information) on one-photon 
pulses as well; and indeed, we see the increase of Di 
in Fig. 3 and the corresponding increase of Id in 
Fig. 4. 

• In the region 0.88 ^ ^ < 1, we note an ambigu- 
ity of the simulation for the single-photon pulses. 
In fact (Fig. 3) we have pd > but Di = 0, so 
this " cloning" actually amounts to leaving photons 
undisturbed and might as well be accounted for 
through pii. Recall that in paragraph II D we said 
that one can always set pn — 0; it is now clear 
why: as long as Di = 0, letting pass is equivalent 
to cloning; and we see that when Di becomes larger 
than 0, cloning is applied on all the forwarded pho- 
tons so that indeed pn = 0. 

• There is a slight discontinuity in Eve's information, 
visible in Fig. 4, at the point where Eve starts to use 
the cloning strategy on the single-photon pulses. 

We ran more detailed simulations in order to rule 
out the possibility that this is an artefact. It ap- 
pears that this discontinuity is a direct consequence 
of a discontinuous modification of /7,: for that value 
of the parameters, Alice and Bob should decrease 
fj. slightly more than expected by continuity. 

At the end of this discussion, one might reasonably 
raise a doubt. We have just seen that the 2^3 cloning 
machine is used as soon as V < 1, and that for some 
rather high visibility {V ~ 0.88 at d = 30km) it is used 
on all the two-photon pulses. Why then is its effect so 
negligible in comparison to the case when this machine 
is not used, as wc saw in Fig. 2? The reason is that Figs 
3 and 4 would look fundamentally different if the 2^3 
cloning machine is not used. If Eve performs the storage 
attack instead of the cloning attack on the two-photon 
pulses, then she can introduce errors, and consequently 
gain information, on the single-photon pulses: we'd have 
Di > and Id > as soon as V < 1, not only for 
V ^ 0.88. It turns out that all the information, that Eve 
loses on the two-photon pulses by not using the cloning 
attack, is almost exactly compensated by the information 
that she gains on the single-photon pulses. This casts a 
new light on the result of Fig. 2: the difference between 
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the optimal and the suboptimal strategies is smaU, not 
because the 2^3 cloning is rarely used, but because 
the constraints (14) and (15) imply that using the 2^3 
cloning attack on n = 2 reduces the possibility of using 
the 1^2 cloning attack on n = 1. 

IV. EXTENSIONS AND REMARKS 
A. Extension to sub-Poissonian sources 

For the numerical optimization, we have supposed the 

Poissonian distribution for the number of photons pro- 
duced by Alice, because this is the most frequent case 
in practical implementations. However, sub-Poissonian 
sources are being developed for quantum cryptography 
[9]. The main result, namely that 2^3 cloning attacks 
contribute with a very small correction to Eve's infor- 
mation, remains valid for these sources: the fraction of 
pulses with n = 2 photon is even smaller than in the 
Poissonian case, so the contribution of the 2^3 cloning 
attack will be even more negligible — actually, it is even 
possible that, for a sufficiently large deviation from the 
Poissonian behavior, this kind of attack does not help at 
ah. 



B. Extension to other protocols 

One might ask how our study applies to other proto- 
cols. In the last months, practical QKD has witnessed 
great progress: several ideas have bcxai put forward that 
make the PNS attacks less effective by modifying the 
hardware [8], the classical encoding [6,7] or the quantum 
encoding [26]. Of course, even if the PNS can never be 
used by Eve, multi-photon pulses open the possibility for 
elaborated cloning attacks: these must be taken into ac- 
count when assessing the security of new protocols. 

C. About reverse reconciliation 

In Section II, when defining S in (7), we mentioned the 

fact that I{B : E) is slightly smaller than I{A : E) here, 
so that Alice and Bob would better do " reverse reconcil- 
iation" [27]. In this paragraph, we want to elaborate a 
little more on this point. 

The first cause of the relation I{B : E) < I{A : E) is 
the presence of dark counts: when Bob accepts an item, 
Eve (as well as Bob himself) does not know if his detec- 
tor fired because of the photon that she has forwarded 
(and on which she has some information) or because of 
a dark count (on which she has no information). It is 
easy to take this effect into account. Suppose that Eve 
forwards n photons to Bob. Conditioned to this knowl- 
edge, Bob's detection rate reads r„ = Vph + Vdark where 
Tph = (1 - (1 - »?)") and rdark = (1 - ??)"• Thus, to 



obtain I{B : E), the n-photon contribution to formula 
(12) should be multiplied by a factor (1 — H{en)), where 
en = fdark/rn- Now, ci ~ Pdh, and e„>2 < ei; so all 
these corrections are really negligible. 

The second contribution is much less easily estimated: 
it comes from the 2-^3 cloning machines. The formu- 
lae we used for Strategies A and B, derived by CL [5], 
refer to the mutual information Alice-Eve. In Strategy 
C, that looks optimal when I{A : E) is optimized. Eve's 
information on Bob's result is smaller than 1 because she 
does not know deterministically whether Bob will obtain 
the same bit as Alice or the wrong bit. This study would 
require some more work. We don't think this work is 
worth while doing, after seeing how small is the correc- 
tion introduced on the final values of n and S by taking 
the 2^3 cloning attack into account. 

V. ANALYTICAL FORMULAE FOR RAPID 
ESTIMATES 

A. Further simplifying assumptions 

As mentioned before, the goal of this Section is to pro- 
vide some simple formulae that allow a good estimate of 
the important parameters (optimal mean number of pho- 
tons, expected secret key rate S, maximum distance) for 
implementations of the BB84 protocol, without resorting 
to the full numerical optimization. Indeed, for practical 
implementations, absolute precision of these calculations 
is not required: on the one hand, existing algorithms 
for error correction and privacy amplification (EC-I-PA) 
reach up to some 80% of the attainable S; on the other 
hand, nobody is going to operate his crypto-system too 
close to the critical distance. So in short, what one 
needs is (i) an estimate of the critical distance in or- 
der to keep away from it, (ii) an estimate of the optimal 
mean number of photons per pulse in order to calibrate 
the source, and (iii) an estimate of the secret-key rate (of 
Eve's information) in order to choose the parameters for 
EC+PA. Note that similar formulae have been found by 
Liitkenhaus [3]; in that work, however. Eve was supposed 
to have an influence on all the sources of inefficiency, in 
particular the parameters of the detector. This is why 
we can't simply refer to Liitkenhaus' results here. 

Thus, for this analysis, we make two further simplify- 
ing assumptions on Eve's attack, namely: 

1. We neglect completely the contribution of the 

pulses with n > 3 photons. Since we are interested 
in sources where the mean number of photons /U is 
significantly smaller than 1, we have 

p^(l)=M, p^(2)=52y (21) 

whence in particular 1 — pb(0) w iitrj. The factor 
(?2 is 1 for a Poissonian source, smaller than 1 for 
sub-Poissonian sources. 
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2. For n = 2, wc neglect the 2—^3 cloning attack 
and focus only on storage attacks, that is p2s = 1- 
In fact, we have seen that the cloning attack plays 
a non- negligible role only for V ~ 0.8; but this 
means an optical QBER of 10%, which is enormous 
and would lead to the failure of the EC+PA al- 
gorithms. For practical cryptography, V > 0.9 is 
required, and in this region the correction due to 
cloning 2 — > 3 is really negligible. 



C. Formulae for high visibiHty and not too long 

distances 



To perform analytical optimization, we must get rid of 
the /i-depcndence in the non-algebraic functions H{Q) 
and Ji(Di). This can be done for not too long distances, 
that is when 2pd <C utrj, because then Q ~ Qopt = 
Moreover, one can easily see that for y = 1, the optimal 
/X (satisfying || = 0) is 



B. S eis a function of n alone 

Using the Poissonian distribution (20), the mutual in- 
formation Alice-Bob (6) reads 

I{A : = ^ {^^t7^ + 2pd) (1 - H{Q)) (22) 



with the QBER 



(23) 



Using our assumptions i?2c = -R3 =0, the first constraint 

2 

(14) that Eve must fulfill reads rj + 92^11 = IJ-tr], 
whence one can extract 



a 

Pci=t - 92- 



(24) 



The second constraint (15), using i?,2c = and 
the expression we have just found for Pci, reads 
M - 92%) vDi = fJ-tr] (^^) , whence 



M = - (U = l). 
92 



(27) 



Therefore, we set this value for /z in Di, so that now 

Di = 1 — U = 2Qopt becomes also independent of /i [28]. 
This gives Pi = P = i - ^/V(T^^. Under these new 
assumptions 



5(/x) ^ i M?? [t{H{P) - H{Q,pt)) - 92^H{P) 



the maximum is obtained for ^ =0, that is 



(28) 



92 



1 - 



H{Qopt) 
H{P) 



(29) 



This must be non-negative, so this approximation (in 
particular here, the approximation ^ = t/92 m Di) is 
valid provided Qopt < P, that is for V > 0.8; as we dis- 
cussed in the introduction of this Section, this is perfectly 
consistent with the visibility requirements in practical se- 
tups. Inserting (29) into (28), we find an explicit formula 
for the secret key rate 



1-V 
2 - 92lJ'/t 



(25) 



S.y^^HiP)[l 



HjQopt) 
H{P) 



(30) 



Then, the mutual information Alice-Eve (12) reads 



I{A:E) = ^tJir^ 



{t-g2^)h{D,)+92^ 



(26) 



where wc recall that Ii{D\) 
1 
2 



1 - H{Pi) with Pi 



Presently then, S — I{A : B) — I{A : E) is written as 
a function S{ijl) of jjL alone — in particular, our hypothe- 
ses removed two of the four parameters of Eve's attacks, 
and because of the two constraints there are no more 
free parameters for Eve. One can then find the optimal 
/Lt as a function of the distance, and the corresponding 
5, by running a numerical optimization of S'(/i). This 
is already simple enough and gives very accurate results, 
see Fig. 5. Still, we want to go a few steps forward, to 
provide less accurate but explicit formulae. 



In the limiting case V = 1 — e we can set H{P) = 1 
while H{Qopt) = H{s/2) cannot be neglected because 
H increases very rapidly for its argument close to zero. 
Therefore 



{V=l-e). 



(31) 



This formula has an intuitive meaning [29] ; ^ 77 1 ^ is 
simply the sifted-key rate; H{e/2) is the fraction that 
must be subtracted in error correction, and a fraction ^ 
is subtracted in privacy amplification because of the PNS 
attack [28]. 

For distances far from the critical distance, the agree- 
ment of both (29) and (30) with the exact results is again 
satisfactory (Fig. 5). 
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D. Exact limiting distance for V = 1 



For the value of the limiting distance, we were able 
to find a closed formula only for the case V = 1. The 

idea is that fi decreases very rapidly when approaching 
the limiting distance, so that now /itry <C Pd- The QBER 
(23) becomes Q = ^ - e with e = ^ [30]. Now, it holds 

1 - (i - e) = j|2£^ + 0(£^). Inserting this into (22) 
we obtain 



On the other hand, I {A : E) is still given by (26), of 
course with h{Di) = since V = 1, so I{A : E) = 
252W^- The limiting distance is thus defined by impos- 
ing I{A : B) = I{A : E) i.e. 5 = 0, that is, by the 
attenuation 



tHm = ^2\n2g2j. (33) 



This result is in good agreement with the limiting dis- 
tance found in the exact calculation, sec Fig. 5. The 
calculation of (33) is easy because /x drops out of the 
condition 5 = 0; this is no longer the case for F < 1, 
that's why the estimate of the limiting distance becomes 
cumbersome: one has to provide the link between ji and 
t when approaching that distance, different from (29). 
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FIG. 5. Optimal /j, and secret key rate per pulse S (log 
scale) for Poissonian sources as a function of the distance, for 
a = 0.25, ri = 0.1 and pa = 10"^ and for V = 1,0.9,0.8. 
Comparison of the exact results (dashed lines, coming from 
Fig. 2) with two approximations: (I) Full lines: numerical 
optimization over // alone as discussed in paragraph VB. (II) 
Dotted lines: explicit formulae (29) and (30), that cannot be 
used for V — 0.8. For V = 1, the vertical asymptote is the 
limiting distance defined by (33). 



VI. CONCLUSION 

In conclusion, wc have discussed incoherent attacks on 
the BB84 protocol in the presence of multi-photon pulses 
that allow both for the photon-number splitting and the 
2—^3 cloning attacks. We have identified a new efficient 
2^3 cloning attack: Eve keeps one of the incoming pho- 
tons, and sends the other one into the suitable symmetric 
1^2 doner, then forwards the two photons to Bob. The 
effect of taking the cloning attacks into account is negli- 
gible for realistic values of the parameters (in particular, 
for an optical visibility V > 0.9) with respect to the PNS 
attacks. This means that these attacks do not change 
the security of BB84; however, they may be important 
when assessing the security of modified protocols aimed 
at countering the PNS attacks. 
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